Techly NewsGet the app

Get the latest tech news

XSS on using the legacy "Graphie To PNG" API


An attacker can can upload malicious graphies via (http://graphie-to-png.kasandbox.org/) and (http://graphie-to-png.khanacademy.systems/) that exploit the graphie renderer. The attack targets any page that has a graphie (`khanacademy.org`!!), as well as `cdn.kastatic.org` and `ka-perseus-graphie.s3.amazonaws.com` # Proof of concept ## Step 1: Uploading a malicious graphie consider the...

Get the Android app

Or read this on Hacker News

Read more on:

Photo of API

API

Photo of Legacy

Legacy

Photo of png

png

Related news:

News photo

Stripe's payment API: The first 10 years (2020)

News photo

OpenAI plans to phase out GPT-4.5, its largest-ever AI model, from its API

News photo

GPT-4.1 in the API

« Defense tech Theseus landed Y Combinator, the US Special Forces, and $4.3M from a tweet
Microsoft Researchers Develop Hyper-Efficient AI Model That Can Run On CPUs »